When using the Azure CAF, at some point when your all setup and ready to go, you have to connect it to your organisation.
I imagine that simply plugging an Azure CAF platform that has a 0.0.0.0 route advertisement into a corporate network that already has a 0.0.0.0 would result in some undesired behaviour?
What would be the preferred/most correct way to stop 0.0.0.0 being advertised over ExpressRoute into your on-prem?
Should we attempt to atop the advertisement on the Azure side, or filter the BGP on the on-prem networking side?
The doc doesn't really seem to have much to say on the subject.
Has anyone had to deal with this?
Stoping Azure CAF advertising 0.0.0.0 over ExpressRoute
There is no better direct way to fix this from our end Azure doesn't have native outbound route filtering so to manage this from the on premises BGP configuration is approach we can say.
So, the final conclusion of the requirement mentioned is that there is no better way to do this other than to fix it with the correct BGP on-premises and move on.
To do this from on-premisus side
0.0.0.0/0
default routedemo configuration:
route-map BLOCK_DEFAULT_ROUTE deny 10
match ip address prefix-list DEFAULT_ROUTE
route-map ALLOW_OTHER_ROUTES permit 20
ip prefix-list DEFAULT_ROUTE seq 5 permit 0.0.0.0/0
router bgp <YOUR_AS_NUMBER>
neighbor <AZURE_PEER_IP> route-map BLOCK_DEFAULT_ROUTE in
Refer:
On-premises expressroute BGP is advertising 0.0.0.0/0 and using Azure Firewall to control traffic (including internet) - Microsoft Q&A answered by Ganesh Patapati .
https://learn.microsoft.com/en-us/azure/expressroute/expressroute-routing